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Authentication is one of the essentials components of information security. It has 
become one of the most basic security requirements for network communication. 
Today, there is a necessity for a strong level of authentication to guarantee 
a significant level of security is being conveyed to the application. As such, it 
expedites challenging issues on security and efficiency. Security issues such 


as privacy and data integrity emerge because of the absence of control and 





authority. In addition, the bigger issue for multi-factor authentication is on 
the high execution time that leads to overall performance degradation. Most of 
existing studies related to multi-factor authentication schemes does not detect 
nas weaknesses based on user behavior. Most recent research does not look at 
Efficiency a the efficiency of the system by focusing only on improving the security aspect of 
Multi-factor authentication authentication. Hence, this research proposes a new multi-factor authentication 
Security scheme that can withstand attacks, based on user behavior and maintaining 
optimum efficiency. Experiments have been conducted to evaluate this scheme. 
The results of the experiment show that the processing time of the proposed 
scheme is lower than the processing time of other schemes. This is particularly 
important after additional security features have been added to the scheme. 


Keywords: 


Attack recognition 


This is an open access article under the CC BY-SA license. 





Corresponding Author: 


Fiza Abdul Rahim, 

Department of Computing, College of Computing and Informatics, 
Universiti Tenaga Nasional, 

43000 Kajang, Selangor, Malaysia 

Email: fiza@uniten.edu.my 








1. INTRODUCTION 

Advancements and improvements of network infrastructures have brought the integration of 
electronic devices and information sharing which can be accessible by public. Security is in this manner 
a significant subject when it comes to information and data being shared [1, 2]. Security leads to 
the importance of secrecy and authentication. Secrecy is referred to protection of sensitive data against 
unauthorized access and modification. Rather, authentication is a mechanism to verify the identity of a user 
or process which helps to prevent unauthorized access to sensitive data [3, 4]. This research concentrates on 
authentication security and maintaining optimum efficiency. Security constraints in the authentication system 
must be placed at the highest level and must be a priority to consider in the development of a secure 
system [5, 6]. Based on system’s specified permission, user authentication level will be determined [7-9]. 
Any authentication application involving public exposure or critical-business application requires a higher 
level of protection, especially against authentication attacks that may compromise hardware and/or data [10]. 
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To compensate for the authentication process, various technologies have been developed to strengthen 
the weaknesses of specific objects and knowledge factor authentications [11, 12]. However, there are an 
increasing number of attacks that are related to authentication methods [2, 13-16]. Among the techniques 
developed to overcome this attack is attack recognition technique that can enhance security features to 
multi-factor authentication. The implementation of the attack recognition technique has been in existence for 
a long time and has also expanded over the past decades to include in the computer security domain, particularly 
in intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). This research incorporates a plan 
recognition technique of [17] as attack recognition into the authentication systems. 

At the time of this research conducted, no other research had introduced attack recognition 
technique into authentication systems. This technique is widely used in intrusion detection systems (IDS), 
decision making and language understanding. For example, a new set of attack instances are identified to 
allow IDS able to detect possible new type of intrusion. In decision making system, attack recognition is used 
to analyze user action in order to determine their goal or result [18-20]. Based on the output, an appropriate 
response is proposed to the user. 

In addition to security, authentication efficiency also emphasized on time taken. In a situation where 
there is high level of security, authentication process would take a longer time to verify a full message [21-23]. 
According to [17], efficiency is captured by measuring the time required to complete a task or the number of 
clicks or buttons pressed to achieve the required goal. Hence, a system is not only considered good by its 
functionality and level of protection, but it also must be efficient by enabling users to achieve their goal 
within a reasonable amount of time [24]. 


2. RESEARCH METHOD 
2.1. Research method for security 

In the authentication step, the overall process of the attack recognition technique is illustrated in 
Figure 1. Referring to Figure 1, the attack recognition receives data input from the user and observes 
the behaviours of the user regarding how it provides these data. This involves taking a series of observed user 
actions and matching them with examples of attacks available in the attack template database. 
The appropriate response will be given based on the matching result, as to whether the user is legitimate or 
a potential attacker. The entire process, starting from evaluating the user behavior, matching the action to 
known attacks in the database and providing the appropriate response or action, is carried out using the attack 


recognition technique. 
User login behavior 


Attack verification 





‘ound m atch in attack 
recognition tem plate 
database? 








>| Attack information 
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No attack detected Not Successful 








Y 
Successful 


Figure 1. Attack recognition steps 
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In conventional authentication model, user identification is based on password, PIN or 
signature [25-27]. A user is detected by physical or behavioral features whilst in the biometric authentication 
system. Such features include fingerprinting, palm printing, eyes, iris, signature, voice, etc. In this study, 
the user input or information that is the user's username, face and fingerprint are compared during the matching 
process and must fit the data stored in the attack template database. The attack template database which is kept 
in the system’s database contains all the information needed to identify and recognize an authorized user based 
on his user input. The database may be placed in a remote location or it can also be in the same location 
as the scheme. In the proposed scheme, the database sits in the same workstation as the scheme. 

After the matching process is done, the system will give an appropriate message based on the result of 
the matching. If the user’s action matches a template in the attack template database, the system will generate 
an error message (attack information), which explains the attack, the purpose of the attack, and the actions to 
solve the attack. If no match is found, the user will be considered legit and a message stating “No Attack 
Detected” will be shown and user will be allowed to proceed. The proposed scheme must recognize the true 
plan and intention of the user. The scheme should also respond appropriately to the user’s actions. The role of 
detecting an intruder in web applications is even harder as the number of users on the internet is massive 
as compared to normal desktop applications. This research presents the security analysis that was done to test 
the proposed multi-factor authentication scheme to withstand attacks based on user attacks plan in the attack 
template database as shown in Table 1. 


Table 1. User attacks plan 
No. List of Attacks 
Attempted Break-in 
Masquerading or Successful Break-in 
Intercepts by Unauthorized User 
Leakage by Illegitimate User 








foe 





The user attacks plan consists of user action and user behavioral templates that the program will 
evaluate during the user login process. The proposed scheme was deliberately run by users under specific 
conditions in order to measure the proposed system level of security from user attacks. The user attack plan is 
aimed to provide an added layer to security by filtering out non-legitimate users who are attempting to break 
the system. Even if a user passes the initial steps of authentication (biometric and key generator), he or she 
might still be an attacker. The attack recognition will be able to analyze the user action and behavior during 
the user login process to determine if the user has any ill-intention. Since no previous researches has been 
conducted to apply user attacks in their schemes, no comparison will be made in the experiment. 

In this experiment, 15 respondents involved to test the proposed scheme. The general steps involved in 
an experiment are listed below: 

— All users are required to register themselves in the system. 

— The user will try to log in and go through the authentication process. 

— The user must follow the necessary steps to trigger the user attack plan during authentication process. 
— Analysis of the results. 

All respondents must follow the steps of the user attack plan as tabulated in Tables 2-5: 


Table 2. Attack type: attempted break-in 








Steps Condition Triggered Action 
1) The user has a valid username. Username is highlighted as 
2) The user does not have valid password. 3 continuous invalid logins suspicious and details sent to 
3) The user attempts to guess a random password. the admin 





Table 3. Attack type: masquerading or successful break-in 








Steps Condition Triggered Action 
1) The user has a valid username. 
2)  Three-factor authentications (password, face, and 3 continuous login attempts Username is highlighted as 
fingerprint) is entered from different location (different IP but each login attempt are suspicious and details sent to 
address). from different IP the admin 


3) The user successfully logs in. 
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Table 4. Attack type: intercepts by an unauthorized user 

















Steps Condition Triggered Action 
1. The user has a valid username. Username is highlighted as 
2. The user successfully logs in to the 3-factor authentication. 3 successful logins within SE Taros eee er care 
: : : . : suspicious and details sent to 
3. The user keeps repeating login process in a short period of 1 minute : 
: the admin 
tme. 
Table 5. Attack type: leakage by illegitimate user 
Steps Condition Triggered Action 
1. The user has a valid username. Username is highlighted as 
2. The user successfully logs in to the 3-factor authentication. 3 continuous successful logins suspicious and details sent to 
3. The user logs in at odd hours. the admin. 





From the user attack plan above, each type of attack has different steps in determining the security 
level of the proposed scheme. The action reflects the appropriate response to user attack measures from 
the proposed scheme. The actions are given in accordance with the condition caused by this proposed scheme. 
Three attempts to log in to the scheme via the proposed scheme were given to respondents. 
The result from this proposed scheme is compared with two previous schemes from [11, 28]. Both of these 
studies were selected as their schemes have many similarities with the proposed scheme in terms of 
functionality and performance. Although other earlier research was considered for comparison, they did not use 
an algorithm, lack experimental methods or lack the data necessary to compare performance measurements. All 
15 respondents are expected to successfully enroll in all 3 schemes first. This is to ensure the information of 
the user are maintained in the records of the system which will recognize the users as legitimate users. Figure 2 
is the summary of the experiment done to measure the level of efficiency for all schemes. 


Efficiency 





r Experiment 
| Vv 


Proposed scheme Raja & Perumal, 2013 Li et al., 2013 











| | 


Authentication Time Authentication Time Authentication Time 
(sec) 





Figure 2. Summary of the experiment 


3. RESULTS AND ANALYSIS 
3.1. Result analysis for security 

All 15 respondents carried out the four user attacks plan as listed in Table 1 to test the security level 
of the proposed scheme. As all respondents are required to follow the steps needed to trigger the user attack 
plan, the input is matched with template stored in the attack template database. The results show that 
the proposed scheme can withstand attacks and provide an appropriate response based on input from 
the respondents. 


3.2. Result analysis for efficiency 

It can be seen that the proposed time showed lower numbers, hence a shorter time to complete 
the task. Figure 3 shows the total time for all three logins done by the respondents in the experiment. From 
the result shown in Figure 3, not only the proposed scheme showed lesser time to execute the task, but it also 
showed almost similar processing time for all fifteen (15) recorded respondents. The previous scheme by [28] 
showed the second-best result. Finally, [11] took the longest time. Table 6 summarizes the experiment result 
based on average time in second for efficiency. 
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Figure 3. Total time taken all scheme 


Table 6. Summary of result for three schemes 








Rank Scheme Average Time (sec) 
1 Proposed Scheme 15 
2 Li et al [28] 21 
3 Raja & Perumal [11] 28 





4. CONCLUSION 

This proposed scheme serves as a scheme to authenticate users on any application via the execution 
of attack recognition technique along with a biometric matching process. This is done by matching the input 
from the user with a template stored in the database. Additionally, this research integrates the attack 
recognition process to detect potential impostors based on the observed impostor actions. The attack 
recognition is able to forecast the impostor actions and provide a suitable response based on their actions. 

This research also measured the level of efficiency of the scheme based on the speed of processing 
time. The time starts on the user login until their success in accessing the system. This research through 
the result of its experiment has proven to be faster in processing time compared to the previous schemes. 
This research performed better in terms of efficiency when compared to the previous schemes by 
Raja & Perumal [11] and Li, et al [28]. The previous scheme by Raja & Perumal [11] were having high 
processing time during the random number generator step. The random number was sent to the mobile user 
phone which was on a different network which is GSM, which then contributed to higher processing time. 
On the other hand, previous research by Li et al. [28] used a robust biometric multifactor which is called 
elliptic curve cryptosystem. This technique was aimed to provide higher security levels to the system but 
contributed to higher processing times. Based on the experiment results, the proposed scheme was able to 
achieve the results even with all its integrated security features. With the increasing number of attacks and 
intrusions on the authentication system, it is important to keep them secured and executable in a reasonable 
amount of time without having to delay the processing time. 
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